Creating a PKCS12 keystore file that contains only root certificate chains

About this task

The following steps describe how to complete this task using the OpenSSL toolkit and openssl commands. However, you can use a different key management tool of your choice.


  1. Open the openssl command line to create and initialize a new PKCS12 key store.
  2. Run the following command:
    openssl pkcs12 -export -nokeys -in <root_signer_ca> -out <keystore_name>
    where -nokeys tells openssl not to require a private key, -in indicates the root signer certificate to include in the generated PKCS12 file, and -out indicates the file name for the new key store.
    For example:
    openssl pkcs12 -export -nokeys -in digicert-root-ca.crt -out myfile.p12